summaryrefslogtreecommitdiff
path: root/sys/netinet/ip_esp.c
AgeCommit message (Collapse)Author
1999-07-05remove bogus entry from if_enc address list; and rename enc_softc to encifTheo de Raadt
1999-05-16spltdb introduced, protection for tdb lists and related structures, soNiklas Hallqvist
they won't disappear behind our back by an expiration. Cleanup expiration logic too.
1999-05-14A new scalable IPsec SA expiration model.Niklas Hallqvist
1999-04-11Introduce net.inet.{ah,esp}.enable sysctl controls that are off by default.Niklas Hallqvist
If you are going to use either of AH or ESP or both, enable these in /etc/sysctl.conf. Also correct the IPSec debugging sysctl code, it is now named net.inet.ip.encdebug. Some corrected function signatures too.
1999-04-09Make the tdbi handling more robust, removes a panic caseNiklas Hallqvist
1999-03-27add SADB_X_BINDSA to pfkey allowing incoming SAs to refer to an outgoingNiels Provos
SA to be used, use this SA in ip_output if available. allow mobile road warriors for bind SAs with wildcard dst and src addresses. check IPSEC AUTH and ESP level when receiving packets, drop them if protection is insufficient. add stats to show dropped packets because of insufficient IPSEC protection. -- phew. this was all done in canada. dugsong and linh provided the ride and company.
1999-02-24Update copyright; remove a few annoying debugging printfs.Angelos D. Keromytis
Btw, OpenBSD hit 25000 commits a couple commits ago.
1999-02-24Remove encap.h include; saner debugging printfs; fix buglets; work withAngelos D. Keromytis
pfkeyv2.
1998-06-10make the packets which were successfully processed by IPSec available toNiels Provos
bpf via the enc0 interface, using linktype DLT_ENC.
1998-05-24avoid source address spoofing for mutual hostile hosts which have SAs toNiels Provos
us, reported by Craig Metz <cmetz@inner.net>.
1998-05-18first step to the setsockopt/getsockopt interface as described inNiels Provos
draft-mcdonald-simple-ipsec-api, kernel notifies (EMT_REQUESTSA) signal userland key management applications when security services are requested. this is only for outgoing connections at the moment, incoming packets are not yet checked against the selected socket policy.
1997-11-04make it easier to add additional transforms. add blowfish and castNiels Provos
encryption. some more info for kernfs/ipsec.
1997-10-02conditional error loggingTheo de Raadt
1997-09-28log() needs a \nTheo de Raadt
1997-07-27expiration messages, fixes, updates, all sorts of thingsNiklas Hallqvist
1997-07-18enablespi/disablespi in encap + print spi's in hostorderNiels Provos
1997-07-11put old esp/ah and new esp/ah in different files.Niels Provos
generalised way of handling transforms.
1997-07-01major restructuringNiels Provos
1997-06-25hard and soft limits for SPI's per absolute timer, relative since establish,Niels Provos
relative since first use timers, packet and byte counters. notify key mgmt on soft limits. key mgmt can now specify limits. new encap messages: EMT_RESERVESPI, EMT_ENABLESPI, EMT_DISABLESPI
1997-06-21u_int32_t changes, need testingTheo de Raadt
1997-06-20ah-sha1 + esp-3des + indentationNiels Provos
1997-02-26count input/output packets for espTheo de Raadt
1997-02-24OpenBSD tags + some prototyping policeNiklas Hallqvist
1997-02-20IPSEC package by John Ioannidis and Angelos D. Keromytis. Written inTheo de Raadt
Greece. From ftp.funet.fi:/pub/unix/security/net/ip/BSDipsec.tar.gz